AIM

MSN

Website URL

ICQ

Yahoo

Jabber

Skype

Location

Interests

Was looking to find the best balanced settings for Torguard providing the most security with only a reasonable hit to throughput but could not find much details online. I decided to run some throughput tests on a few combinations of settings to determine the best option.
The tests were done using speedtest.net using the same fixed remote server for all tests. In Torguard using the pin feature, I also fixed the VPN server IP for all tests. Throughput obviously varied based on server/ISP load but not by much. Also any test combinations where the numbers seemed to not make sense, I verified by doing the test again.
Fixed Variables
- Software Version - v3.90.0
- Used OpenVPN. I did test with OpenConnect with not much difference in speed and from the research so far OpenVPN is a more secure reliable option as of now.
- Used UDP. TCP was about 40% slower than UDP and for general PC use losing a few packets has almost no noticeable effect.
- Port - 1195 (SHA 256)
- All other settings excluding the configuration changes listed below in the test were at default values.
- Tests were done in order of security level (low to high) starting with Torguard completely disabled.
Test Results
Encryption
Network Settings
DL (Mbps)
Loss
Torguard Disabled
Torguard Disabled
193
0%
AES-128-CBC
Default
164
15%
AES-128-GCM
Default
166
16%
AES-256-CBC
Default
160
20%
AES-256-GCM
Default
155
24%
AES-256-CBC
Block Outside DNS = On Name Server = None
163
19%
AES-256-GCM
Block Outside DNS = On Name Server = None
176
10%
AES-256-CBC
Block Outside DNS = On Name Server = VPN DNS
161
18%
AES-256-GCM
Block Outside DNS = On Name Server = VPN DNS
175
11%
AES-256-CBC
Block Outside DNS = On Name Server = Google
163
17%
AES-256-GCM
Block Outside DNS = On Name Server = Google
163
18%
AES-256-CBC
Block Outside DNS = Off Name Server = VPN DNS
164
18%
AES-256-GCM
Block Outside DNS = Off Name Server = VPN DNS
164
18%
Summary
-Using AES-256 vs AES-128 showed minor drop in throughput.
-Adding the extra layers of security under DNS to prevent DNS resolve leaks had no negative impact on throughput.
-Surprisingly after multiple repeat tests AES GCM (more secure) seems to provide better results using some of the DNS settings.
Again there are obviously alot of other variables that would have impacted some of the results so they cannot be 100% accurate. It is also a limited test only taking 2 servers in to account but it does give a decent general idea as to what the best balanced options would be.
Based on this test, the last configuration (in green) is the most secure option with a low amount of loss in throughput.
Hope this helps any questions or corrections let me know.

Hello All,
I am the guy - directnupe - who wrote the guides - https://torguard.net/forums/index.php?/topic/1374-adding-dns-over-tls-support-to-openwrt-lede-with-unbound/
and https://forum.lede-project.org/t/adding-dns-over-tls-support-to-openwrt-lede-with-unbound/13765 .
You also can leave out GETDNS and STUBBY see here: https://blog.grobox.de/2018/what-is-dns-privacy-and-how-to-set-it-up-for-openwrt/ # "read all guides to see how to install and run UNBOUND"
Prerequisite
You have a ca cert bundle installed on your router.
You can do this by running the following
opkg update / opkg install ca-certificates / opkg install luci-ssl
For all of those who are using UNBOUND with tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # For OpenWrt option:
This will have to wait until OpenSSL 1.1.x is included in OpenWrt/Lede or Unbound devs to find a way to validate it without using a function only available in OpenSSL 1.1.x - so the current OpenSSL version ( 1.0.2o ) does not support this feature. If you need more storage and swap memory for your router see here: http://ediy.com.my/index.php/blog/item/118-how-to-increase-storage-on-tp-link-tl-mr3020-with-extroot and here: https://samhobbs.co.uk/2013/11/more-space-for-packages-with-extroot-on-your-openwrt-router
For DNS-Over-TLS support to OpenWRT (LEDE) with Unbound without GETDNS and STUBBY -
see this article - https://www.ctrl.blog/entry/unbound-tls-forwarding and https://www.monperrus.net/martin/randomization-encryption-dns-requests
In OpenWrt / Lede the ca-certificates package is located in /etc/ssl/certs/ca-certificates.crt much like Debian/Ubuntu.
So actually as the title of the article says in order to " Actually secure DNS over TLS in Unbound "
you should configure it thusly ( using Coudflare and Quad9 for this example - IPV4 and IPV6 if you so choose ) :
First go into SSH shell and enter : nano /etc/unbound/unbound_srv.conf
enter the following in the new file:
server:
do-tcp: yes
prefetch: yes
qname-minimisation: yes
rrset-roundrobin: yes
use-caps-for-id: yes
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # For OpenWrt
Then hit ( Ctrl + o ) - you will be asked to write file - hit enter to save file
then ( Ctrl + x ) to close file and go back into shell
Next go into SSH shell and enter : nano /etc/unbound/unbound_ext.conf
enter the following in the new file:
forward-zone:
name: "."
forward-addr: 2620:fe::[email protected]#dns.quad9.net
forward-addr: [email protected]#dns.quad9.net
forward-addr: 2620:fe::[email protected]#dns.quad9.net
forward-addr: [email protected]#dns.quad9.net
forward-addr: 2606:4700:4700::[email protected]#cloudflare-dns.com
forward-addr: [email protected]#cloudflare-dns.com
forward-addr: 2606:4700:4700::[email protected]#cloudflare-dns.com
forward-addr: [email protected]#cloudflare-dns.com
forward-ssl-upstream: yes
Then hit ( Ctrl + o ) - you will be asked to write file - hit enter to save file
then ( Ctrl + x ) to close file and go back into shell
I use GetDns Stubby and Unbound - so this is not how I employ DNS-Over-TLS ( see first 2 links above if you wish to take a look at that option )
Look at bottom of page on reddit post for related entry
Peace,
directnupe

Cloudflare lunched privacy first DNS 1.1.1.1 and 1.0.0.1
You can find out more https://1.1.1.1 and https://news.ycombinator.com/item?id=16727869
I would love to hear thoughts on how are they comparing to TorGuard DNS?

Attention: TorGuard foreign servers in Switzerland and Iceland are leaking DNS data traceable to a US-based IP address. These connections are NOT secure. Please remember to ALWAYS use https://www.dnsleaktest.com to verify a secure connection.

for the fields under the Network tap->DNS, i'm curious what others use here when adding their choice of DNS servers, like from OpenNIC, dnscrypt, etc? best practice to ensure anon DNS lookups and such.
tia

Looks like a nice ðŸ•³ï¸, what's going on ?
Since today I see more than 1 DNS server on DNS leak, these are all torguards, which I actually really like to see
8.0.11.12 DNS-8-0-11-15.Chicago1.Level3.net Level 3 Communications United States
8.0.11.15 cns3.Chicago2.Level3.net Level 3 Communications United States
8.0.11.0 DNS-8-0-11-8.Chicago1.Level3.net Level 3 Communications United States
8.0.10.6 DNS-8-0-11-11.Chicago1.Level3.net Level 3 Communications United States
8.0.10.11 DNS-8-0-11-9.Chicago1.Level3.net Level 3 Communications United States
8.0.10.7 DNS-8-0-10-1.Chicago1.Level3.net Level 3 Communications United States
8.0.11.8 DNS-8-0-11-14.Chicago1.Level3.net Level 3 Communications United States
8.0.10.3 DNS-8-0-11-4.Chicago1.Level3.net Level 3 Communications United States
8.0.10.13 DNS-8-0-10-2.Chicago1.Level3.net Level 3 Communications United States
8.0.10.1 DNS-8-0-11-6.Chicago1.Level3.net Level 3 Communications United States
8.0.11.11 DNS-8-0-10-12.Chicago1.Level3.net Level 3 Communications United States
8.0.11.9 DNS-8-0-10-6.Chicago1.Level3.net Level 3 Communications United States
8.0.10.9 DNS-8-0-10-11.Chicago1.Level3.net Level 3 Communications United States
8.0.11.7 DNS-8-0-11-12.Chicago1.Level3.net Level 3 Communications United States
8.0.11.14 DNS-8-0-10-3.Chicago1.Level3.net Level 3 Communications United States
8.0.11.4 DNS-8-0-10-7.Chicago1.Level3.net Level 3 Communications United States
8.0.10.2 DNS-8-0-10-9.Chicago1.Level3.net Level 3 Communications United States
8.0.11.6 DNS-8-0-10-13.Chicago1.Level3.net Level 3 Communications United States
8.0.10.12 DNS-8-0-11-7.Chicago1.Level3.net Level 3 Communications United States
8.0.11.5 DNS-8-0-11-5.Chicago1.Level3.net Level 3 Communications United States
So, is it just on me/my server or is this implemented already on most servers?

Check DNS requests guide
(webarchive)
In previous guide, I described how to get rid of your ISP or any other service (even TorGuard itself) hijacking your DNS (webarchive)
In this topic I will show how you simply can find out what exactly is going on with port 53 which is default DNS port.
Requierments
HowTo/Wiki/Links
Please read about tcpdump usage and how to on github, I will show here one exampe where I do check DNS requests on tun0 which is my openvpn tunnel connected to TorGuard. You can filter the command from the codebox below, but for simplicity, here it is:
# tcpdump -vvv -i YOURINTERFACE port PORTNUMBER
# Please lookup here for explanation of other options
# - https://github.com/the-tcpdump-group/tcpdump
tcpdump -vvv -i tun0 port 53
Logfile of test dump (it is long, that is why I'll put it into spoiler, for better overview)
This is example of port 53 (DNS requests) when starting a stream on netflix US : (it will run until you stop it, you can do it by pressing CTRL+C on your keyboard)
Results
Here we received 26 packets and now we have clear DNS requests overview. What did we find? Let's take one line out of this log, this as example:
05:40:20.548149 IP (tos 0x0, ttl 64, id 59800, offset 0, flags [none], proto UDP (17), length 529)
b.resolvers.Level3.net.53 > 10.35.0.6.25006: [udp sum ok] 38042 q: A? ipv4_1-lagg0-c158.1.ord001.ix.nflxvideo.net. 1/8/10 ipv4_1-lagg0-c158.1.ord001.ix.nflxvideo.net. [1h] A 108.175.38.188 ns: ix.nflxvideo.net. [3h48m5s] NS pdns154.ultradns.com., ix.nflxvideo.net. [3h48m5s] NS pdns154.ultradns.net., ix.nflxvideo.net. [3h48m5s] NS ns2.p30.dynect.net., ix.nflxvideo.net. [3h48m5s] NS ns3.p30.dynect.net., ix.nflxvideo.net. [3h48m5s] NS pdns154.ultradns.biz., ix.nflxvideo.net. [3h48m5s] NS pdns154.ultradns.org., ix.nflxvideo.net. [3h48m5s] NS ns4.p30.dynect.net., ix.nflxvideo.net. [3h48m5s] NS ns1.p30.dynect.net. ar: pdns154.ultradns.com. [1d19h29m25s] A 156.154.64.154, pdns154.ultradns.com. [16h59m27s] AAAA 2001:502:f3ff::be, ns3.p30.dynect.net. [3h48m10s] A 208.78.71.30, pdns154.ultradns.org. [15h27m14s] AAAA 2001:502:4612::be, ns4.p30.dynect.net. [3h48m10s] A 204.13.251.30, ns2.p30.dynect.net. [3h48m10s] A 204.13.250.30, pdns154.ultradns.net. [1d3h48m5s] A 156.154.65.154, pdns154.ultradns.net. [2h55m55s] AAAA 2610:a1:1014::be, pdns154.ultradns.biz. [15h27m14s] AAAA 2610:a1:1015::be, ns1.p30.dynect.net. [3h48m10s] A 208.78.70.30 (501)
Basicly, all lines do the same if you take closer look, when you press play button on your browser, netflix does contact these servers on port 53. Choosen line in more understandable format
Please do not think that preventing netflix to make this check (dns request) will help you with their service, this is not enough. But if you need to redirect anything, then this is how to get required information or simply to log your network.
If there are requests, I'll write you a gui for Luci in openwrt where you can make these tests or whatever could be the goal of the requested app.
You are free to discuss about your (or my ) results, check your ISP's and if you are conform with anything, well, listening to people on internet is not good, trying it out and doing yourself is good. At the end, whatever you want to do, you can automate it, ie. redirecting all these requests to your StreamIP (lol , this would have worked until the last crackdown but not anymore). Other services still work with that and there are plenty of streaming services.
However, its good to know what your network does, at least on important ports like D
Hope my terrible english is good enough for writting guides, but sorry for typos or some strange expressions.

I have posted already how to prevent hijacking of your DNS by your IP.
There are some ISP's like Verizon, T-Mobile, ... which do send all traffic over port 53 (yes, they hijack your DNS), regardless of which DNS servers you use.
Here is how to get rid of that and redirect it to some another address with help of iptables instead editing dnsmasq in WebIF (which is still my preferable solution for most tasks), in this example I'll redirect all dns requests to my custom dns server, to lan1 in this case, which is my local DNS Server
Openwrt (I think ddwrt should work too, but I did not test it on ddwrt but basicly it should be the same, just check the names of devices)
iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 192.168.1.1
On openwrt and other releases, switch on masquerading, it is required.
Now a question to TorGuard, do you/can you offer alternative ports for those who maybe can't use first method described, neither this second solution.
To find out what is going on through your DNS port, read here.

The TG Vpn update of November 19, 2016 has somehow changed my Adapter Settings for my ethernet, wfi, and it's very own TAP windows adapter settings affecting no response from the DNS Server.
So basically, I could not connect to the internet (by ethernet or wifi) and I figured it out by myself on how to fix the issue. I had to make sure that I had to change IPv4 and IPv6 Settings on said adapters to obtain IPv4 and IPv6 addresses and DNS Server Addresses automatically and it would fix the issue... BUT then the settings would change so I have to figure out which adapter had the settings changed, whether be it TG (TAP) adapter or my own Ethernet or wifi adapters, I have to manually fix it. Is this some kind of glitch??? or error?

Hello,
I'm trying to keep my DNS servers pointed to the TG servers:
104.223.91.194 104.223.91.210 91.121.113.58 91.121.113.7
In order to do this, I wrote a script for OSX
#!/bin/bash
sleep 5
networksetup -setdnsservers Wi-Fi 104.223.91.194 104.223.91.210 91.121.113.58 91.121.113.7
the script file has permissions: -r-xr-xr-x 1 username staff
In some reason it doesn't set DNS after connection automatically. It requires me to run in manually with sudo from command line.
Any idea what how to achieve that?

Hello everyone,
I'm on Ubuntu 16 and I have having a problem with the DNS on ipleak.net. When I use it on windows it will show the server in either france or sweden (I usually use stockholm). When I use it on here it shows around 20 or so IP's from the US. They are different than what I get when I don't use torguard however.
The method I use is network connections, edit, ipv4, then I add the additional servers. It might have to do with this tunn connection that I see. Anyone have any ideas?

TorGuard V 0.3.47
Debian jessie
ISP AT&T
I can't stop AT&T from hijacking my DNS requests. When I first connect with TorGuard (stop DNS blocking enabled) DNSLeakTest shows various DNS servers depending on what TorGuard server I use. But after a few minutes, anywhere from immediately to 30 mins, AT&T starts hijacking my DNS requests.
Any suggestions?
Thanks AT&T for you douchebaggery, but there is no reason you need to know what I'm doing. I f'n hate being tracked!

On one of my devices I've been getting the following error all day long when I connect to torguard: "Blocking DNS Failed!" The connection is then dropped. This device has connected without issue in the past, and other devices are connecting as normal on the same network. I didn't change anything in the settings.
Any suggestions?
Edit: This problem seems to have been fixed by updating torguard. The auto-updater didn't show a new version until today.

Hello. While using both torguard lite and viscosity on the website ipleak.net I still get dns leaks. In a post a month or so ago the mention changing the dns to use a static one that is provided. I dont see a way to change it through both appliacations. Would I have to change it though windows and if I do, while I am not using a VPN will that affect anything.
Also I am using firefrox and have changed the setting that allows for the RTC leak

Hi,
I've installed the Torguard app ( https://play.google.com/store/apps/details?id=net.torguard.openvpn.client) on my Android 4.2.2
The VPN is working but my DNS is leaking. I did my tests with
https://dnsleaktest.com/
Does the application even try to change the DNS?
Did you publish a guide or do you have suggestion on how to solve this problem?
p.s. your service to test dns doesn't work, I think because it's an https page that tries to load some http content
https://torguard.net/vpn-dns-leak-test.php